samba 3.0 pre21:joining domain with windows 2000
Matt Roberts
mattro at grda.com
Fri Dec 13 08:45:01 GMT 2002
Gentlemen,
I am also seeing the problem in this thread (latest 3.0 alpha), but I am
running only the LDAP backend. However, I see something that might help.
Details below. But first the setup:
>> I think the machine accounts will be stored in whatever passdb backend
>> is listed first. sounds like you need it to be smbpasswd_nua unixsam.
I have only the LDAP backend listed, and no others, but the same symptoms.
However...
>> do you see the new machine account in smbpasswd?
Yes. I did a 'smbpasswd -am <machine_name>' before the join, and it
installed the appropriate LDAP attributes for the system in question.
Then I did a join from the W2K SP3 client, and it said "Welcome to ...
Domain!"
>> use the admin users param
I joined the domain using one of the users in 'admin users'...
The logfile shows this when I try to logon at the W2K station (names
changed to not show development environment). Please see my notes below
on what I think might be significant here:
[2002/12/13 01:55:07, 2] smbd/reply.c:reply_special(79)
netbios connect: name1=SAMBA-DC name2=WIN2K-PRO
[2002/12/13 01:55:07, 2] smbd/reply.c:reply_special(93)
netbios connect: local=samba-DC remote=WIN2K-PRO
[2002/12/13 01:55:07, 2] passdb/pdb_ldap.c:ldapsam_search_one_user(641)
ldapsam_search_one_user: searching for:[rid=501]
[2002/12/13 01:55:07, 2] passdb/pdb_ldap.c:ldapsam_open_connection(262)
ldap_open_connection: connection opened
[2002/12/13 01:55:07, 2] passdb/pdb_ldap.c:ldapsam_connect_system(414)
ldap_connect_system: succesful connection to the LDAP server
[2002/12/13 01:55:07, 2] passdb/pdb_ldap.c:ldapsam_search_one_user(641)
ldapsam_search_one_user: searching
for:[(&(uid=)(objectclass=sambaAccount))]
[2002/12/13 01:55:07, 2] auth/auth.c:check_ntlm_password(271)
check_password: Authentication for user [] -> [] FAILED with error
NT_STATUS_NO_SUCH_USER
[2002/12/13 01:55:07, 2] smbd/server.c:exit_server(534)
Closing connections
And my smb.conf looks like this:
[global]
security = user
workgroup = DOMAIN
netbios name = SAMBA-DC
encrypt passwords = Yes
server string = Primary Fileserver (Linux 2.4/Samba %v)
load printers = yes
printing = LPRNG
printcap name = /etc/printcap
lpq cache time = 2
lock directory = /var/lock/samba
log file = /var/log/samba
guest account = guest
invalid users = root
; 'admin' is a posixGroup defined in the LDAP directory
admin users = @admin
browseable = yes
browse list = yes
name resolve order = wins lmhosts bcast
passdb backend = ldapsam
ldap admin dn = uid=Samba,ou=System,dc=example,dc=net
ldap server = example.net
ldap ssl = off
ldap port = 389
ldap suffix = dc=example,dc=net
ldap user suffix = ou=Users
ldap machine suffix = ou=Hosts
ldap passwd sync = yes
os level = 65
domain logons = yes
preferred master = yes
domain master = yes
local master = yes
logon path =
And the machine account in question looks like this in the backend:
dn: uid=WIN2K-PRO$, ou=Hosts, dc=example, dc=net
objectClass: posixAccount
objectClass: sambaAccount
uidNumber: 1005
gidNumber: 1007
homeDirectory: /dev/null
rid: 3010
displayName: My Workstation (Win2k)
cn: My Workstation (Win2k)
uid: WIN2K-PRO$
primaryGroupID: 3015
acctFlags: [UW ]
pwdMustChange: 1041579955
lmPassword: 676C362D1B62CE1B32C2D0BFEB16C147
ntPassword: A7D319642F0D1B10B574C64CB4FB69FC
pwdLastSet: 1039765555
I joined this domain with the same system yesterday with a 2.2.7 DC, and
it gave the following additional fields:
logonTime: 0
logoffTime: 2147483647
kickoffTime: 2147483647
pwdCanChange: 0
But even if I add those fields to LDAP entry for the Windows 2000 machine
in the the 3.0a system, I get the same result.
*However*, I was very interested to see this in the above log excerpt:
[2002/12/13 01:55:07, 2] passdb/pdb_ldap.c:ldapsam_search_one_user(641)
ldapsam_search_one_user: searching
for:[(&(uid=)(objectclass=sambaAccount))]
That is always going to return an empty result set (right?), because none
of the entries have an empty uid. I will study the source a little
closer, but I assume that has something to do with why I can't logon.
Could the code that did that request also be causing the trouble you all
have been discussing?
Also, shouldn't the FLAGS be just 'W' instead of 'UW'. I'll also play
with that to see what happens.
Might I contribute something more from my logfiles that would help you
find what is causing this? If you want to see more of my LDAP tree,
please let me know.
Thank you,
Matt
More information about the samba-technical
mailing list